The case against hacking your own employees

Enterprise IT and information security teams almost always find themselves pushing against resource limitations in the face of unending attacks and increasingly sophisticated criminals.

In response, a trend has emerged over the past few years of providing leadership with a (supposed) “reality check,” that demonstrates just how susceptible they are to phishing, social engineering, spoofing and other types of email hacks.

Predictably, there are a range of vendors to choose from when orchestrating these kinds of “security awareness” events. The core thesis for each is that by validating the risk, staff can simultaneously secure budget for additional training while also shifting the burden of staying secure onto end users. This is flawed logic.

Embarrassment rarely accomplishes anything positive, and from an information security perspective, this tactic has been thoroughly discredited. As Tom Shultz of Gartner Research pointed out at last year’s Security and Risk Management Summit in London, “The paradigm for training, behaviour-shaping, monitoring, and employee-enabling technologies will shift” as organisations respond to a technological landscape that is embracing cloud services, mobile access to corporate messaging and email platforms, as well as growing freedom for employees to use technology in new ways.

Experience has taught us that attacking our own employees doesn’t increase cyber-resilience as much as it positions the internal IT teams as an antagonist, making it more difficult to get people on board with strategic initiatives. More troublingly, this idea that leadership will wake up to the idea of risk because their own IT and InfoSec staff have demonstrated weakness generally doesn’t lead to more effective security; at best, it leads to more investment in ineffective, outdated, and cumbersome technological solutions and policies.

Security Is Not “Security Awareness”

Major data breaches are front-page news on an almost daily basis, and every employee understands that hackers are a real, persistent threat. Cybersecurity trainings are typified by ill-attempted compliance tick-box initiatives that largely waste time and resources. When an attack actually happens, it will generally be missed by staff who have been admonished weeks or months prior to operate more securely.

The pervasiveness of email, the proliferation of self-owned devices, and the always-on-nature of modern work makes it impossible for people to be constantly vigilant. High-stress, deadline-oriented work environments – an apt description for almost all enterprises these days – create situations where employees will either access, transfer or work with data outside even the most thoughtful cybersecurity strategy. There’s no way to transform people into hard targets for hackers. They’re all soft.

Enterprises have been in a state of panic as hackers have recently gained an advantage against organisations relying on misguided tactics and outdated tools to defend themselves. IT leaders are investing billions in perimeter-based security solutions and training to make it as difficult as possible for hackers to gain entry into their networks; these integrations are complex, highly expensive, and ultimately ill-suited to address the most effective low-volume, hyper-targeted types of attacks that we see today. Rather than trying to shame and then coach employees, IT leaders should be looking to create a frictionless information security strategy – one that is natively integrated into the workflows of ordinary users and which complements rather than conflicts with technology-centric security investments.

The concept that remaining highly productive while keeping data safe is impossible is a false dichotomy; security must become more automated, driven by the information security team’s ability to position people and technology to succeed.

Hackers are always looking for an edge; the prominence of social engineering techniques and spear phishing / whaling / business email compromise attacks proves that when the rewards are large enough, these criminals are willing to invest considerable time into research and development of non-technological threats that will simply bypass yesterday’s security infrastructure.

Adaption through Automation

The key to stopping these attacks is not “more tools”, but rather a shift in mindset. One of the trends we see is that bolstering detection capabilities is more effective when coupled with automated response capabilities and preventive controls that inform and guide behaviour, rather than prohibit users from working. For the average end-user, security should be front and centre, but only when security is relevant.

Consider the classic information security triangle: detection of attacks at the moment they arrive, analysis that zeroes in on the suspicious events and helps contextualise them thereby equipping IT with the ability to focus their limited time on what matters most, and a response that ensures that the window for attack is minimised.

Adopting the infosec triangle with a focus on automation, allows security teams to spend their time understanding and preventing threats categorically rather than being buried in the noise of day-to-day alerts. This focus yields even stronger results when not only detection but also response is driven by policy rather than manual action. As information security and IT staff shifts to become a more analytical role, the ability to narrow the time between incident and remediation is key to preventing a major financial or data loss event.

We can see this shift in the adoption of autonomic security and data-driven threat identification. Statistically, we see that machine-driven security coupled with appropriate end-user engagement at the moment of threat identification reduces security professionals’ operational workloads by nearly 90 per cent. In many cases, architecting for automation eliminates the need for laborious daily manual data review that traditional solutions require. Companies do themselves and their IT staffs a grave disservice when they force their tech team to commit resources to review message quarantines and generic (and often harmless) “security alerts.” Automation empowers a company’s users to make better security decisions when they matter most, and complementary technologies allow staff to operate freely without compromising security.

No amount of periodic training will ever make a notable impact on the safety of corporate network’s critical information. IT professionals’ time can be better spent on implementing toolsand technologies that augment basic perimeter security functions, rather than babysitting employees.

Employees will always be the soft target in even the best cybersecurity strategies; stay focused on activities that will actually protect data and help the business.